Auditing and Logging

<

As a security best practice, set up auditing and logging on your vRealize Automation system in accordance with VMware recommendations.

Remote logging to a central log host provides a secure store for log files. By gathering log files to a central host, you can monitor the environment with a single tool. Also, you can perform aggregate analysis and search for evidence of threats such as coordinated attacks on multiple entities within the infrastructure. Logging to a secure, centralized log server can help prevent log tampering, and also provides a long-term audit record.

Ensure That the Remote Logging Server Is Secure

Often, after attackers breach the security of your host machine, they attempt to search for and tamper with log files to cover their tracks and maintain control without being discovered. Securing the remote logging server appropriately helps to discourage log tampering.

Use an Authorized NTP Server

Ensure that all host machines use the same relative time source, including the relevant localization offset, and that you can correlate the relative time source to an agreed-upon time standard such as Coordinated Universal Time (UTC). A disciplined approach to time sources enables you to quickly track and correlate an intruder's actions when you review the relevant log files. Incorrect time settings can make it difficult to inspect and correlate log files to detect attacks and can make auditing inaccurate.

Use at least three NTP servers from outside time sources or configure a few local NTP servers on a trusted network that in turn obtain their time from at least three outside time sources.